Many thanks to all who provided assistance. Here is the finished script for anyone who may want to use/adapt it. If anyone wants to review/ provide suggestions or sees that I've done anything that could cause issues, please feel free to do so. #!/bin/sh # # restartvpn: Restart the OpenVPN client if it is down. The restart is supressed # if the WAN is down. # # -f / -F : Force: Force reset even if VPN is not down # -q / -Q : Quiet: Supress printed output # WAN_ID='WAN_DHCP' # WAN Gateway ID String VPN_IDs='XXXXX_VPNV4' # VPN Gateway ID Strings (Separate with a space) VPN_GWs='1' # VPN Client ID of gateway GW_DOWN='down' # Gateway down status string # -q / -Q : Quiet: Supress printed output silent=$(echo $@- | awk '{print (/-[qQ]/ ? 1 : 0)}') # -f / -F : Force: Force reset even if VPN is not down force=$(echo $@ | awk '{print (/-[fF]/ ? 1 : 0)}') restartvpn(){ # # Restart VPN client $VPN_GW # WD=$([ "$WAN_STAT" = "$GW_DOWN" ] && echo "WAN DOWN:" || echo "") FC=$([ $force -eq 1 ] && echo "FORCED:" || echo "") msg=$(echo $(date +%y/%m/%d-%H:%M:%S-)${ID}-${WD}${FC}$(/usr/local/sbin/pfSsh.php playback svc restart openvpn client $VPN_GW)) [ $silent -eq 0 ] && echo $msg logger "***** ${msg}" } gwstat=$(pfSsh.php playback gatewaystatus) WAN_STAT=$(echo "$gwstat" | awk '/'$WAN_ID'/{print $NF}') PUBLIC_IP=$(echo "$gwstat" | awk '/'$WAN_ID'/{print $3}') if [ $silent -eq 0 ];then echo -e "$(basename $0) - Public IP: $PUBLIC_IP - $(date)\n\n$gwstat\n" fi if [ "$WAN_STAT" = "$GW_DOWN" -a $force -eq 0 ];then msg=$(echo "$(date +%y/%m/%d-%H:%M:%S-)WAN is down-VPN restart not attempted.") [ $silent -eq 0 ] && echo $msg logger "***** ${msg}" return 1 fi gw=1 for ID in $VPN_IDs;do VPN_STAT=$(echo "$gwstat" | awk '/'$ID'/{print $NF}') VPN_GW=$(echo $VPN_GWs|cut -w -f $gw) if [ -n "$VPN_STAT" ];then [ $silent -eq 0 ] && echo VPN Gateway: $ID - $([ "$VPN_STAT" = "$GW_DOWN" ] && echo "DOWN" || echo "UP") if [ "$VPN_STAT" = "$GW_DOWN" -o $force -eq 1 ];then restartvpn return 1 fi else [ $silent -eq 0 ] && echo No active gateway $ID fi gw=gw+1 done

That NAT must be done on the client side, as others have stated, but since you are using OpenVPN there is a chance you can pull it off. I have not tried this but OpenVPN also has built-in NAT: --client-nat snat|dnat network netmask alias This pushable client option sets up a stateless one-to-one NAT rule on packet addresses (not ports), and is useful in cases where routes or ifconfig settings pushed to the client would create an IP numbering conflict. network/netmask (for example 192.168.0.0/255.255.0.0) defines the local view of a resource from the client perspective, while alias/netmask (for example 10.64.0.0/255.255.0.0) defines the remote view from the server perspective. Use snat (source NAT) for resources owned by the client and dnat (destination NAT) for remote resources. So you could try this in the client config: client-nat dnat 10.100.0.0/255.255.255.0 192.168.0.0/255.255.255.0 That could be pushed in a client-specific override as well.

@JKnott The pfsense is used as only a VPN box, it is not used as a gateway by any other equipment. I think i should have mentioned this in the beginning. The pfsense only has an interface on that subnet with an IP. Like i mentioned, right now what i set up is working. But this does not get to the question i was asking, which is if i can change the server virtual ip address which the openvpn raises on the interface, disregarding on what i am trying to implement or not.

Hi, I had this working but changed the OpenVPN Settings recently to not route all traffic through the vpn and it has stopped working. Once I resolve the VPN Issue I will confirm the full configuration to help others out. Regards,

Well, after other issues that were blocking the project, nat for me worked as I described above: nterface: VPN (interface aded in interface> add ovpns) External subnet IP: 172.16.8.0 Internal IP: 192.168.0.0/24 I comment it in case someone comes across the post and it serves. Thank you very much for the answers.

I use CSO already. Site A has a route entry for the remote site, rest is set by CSO route 172.16.254.0 255.255.255.0; Site B does not have any routes they are set by CSO Server has this: route 172.16.254.0 255.255.255.0 192.168.98.2; route 172.16.0.0 255.255.254.0 192.168.98.3; I need this, to get the packets back to the OpenVPN interface CSO for Site A on server is this: iroute 172.16.0.0 255.255.254.0; ifconfig-push 192.168.98.2 255.255.254.0; i need to set static IP's for the route entry in the previous step CSO for Site B on server is this: iroute 172.16.254.0 255.255.255.0; push "route 172.16.0.0 255.255.254.0"; ifconfig-push 192.168.98.3 255.255.254.0; reason for the difference of site A and B is that Site A have the Option "don't pull routes enabled". So instead of a push route in CSO, i have the route option on the client directly. It is working like this. However, I have the feeling that it should be possible without setting static tunel IP's. If i use the remote network box, the routes that are added are then pointing all to the same tunnel. Btw. is there any way to show the learned OpenVPN iroutes. The only way i found was via the logs which is a pain if you miss the correct moment.

@jimp Hi again! I have been checking some points like LAN router NAT, and server configs and through the packet capture on pfsense I've found this capturing OpenPVN packets: 15:01:08.596584 IP 192.168.168.2.51978 > 192.168.168.10.3389: tcp 0 15:01:08.596607 IP 192.168.168.2.51978 > 192.168.168.10.3389: tcp 0 15:01:08.596617 IP 192.168.168.1 > 192.168.168.2: ICMP redirect 192.168.168.10 to host 192.168.168.2, length 72 where 192.168.168.2 its a wan connection over Open VPN(my phone) and 192.168.168.10 is the remote machine with RDP (WS2019), 192.168.168.1 is the LAN router. Look at the TCP 0??? What means? With firewall always disabled to test connections and no AV's and after 2 days testing several things, I've found 3 different scenarios: RDP from LAN to LAN works on any computer. (W10Pro and WS 2019) RDP from WAN to LAN works in a W10Pro but not in a WS2019 Datacenter only with Remote access (NO RDS) and same ip or network than W10Pro directly by default port 3389. Tested with a PC the error reported is: "internal Error" and tested with my phone the error is: 0x4 or 0x104 3.RDP from WAN to LAN over OpenVPn doesn't work in any computer at default port 3389, same errors. Note the different OS behavior!!. CONFIGS: OPEN VPN WAN UDP4 / 1194 192.168.168.0/27 Crypto: AES-256-GCM/SHA512 D-H Params: 4096 bits OPEN VPN (tun3) IPv4 Tunnel Network 192.168.168.0/27 OUTBOUND NAT MODE:  WAN 127.0.0.0/8 ::1/128 172.16.16.0/24 192.168.168.0/27 * * 500 WAN address *  Auto created rule for ISAKMP  WAN 127.0.0.0/8 ::1/128 172.16.16.0/24 192.168.168.0/27 * * * WAN address *  Auto created rule PORT FORWARD: WAN TCP * * WAN address 3389 (MS RDP) 172.16.16.1 3389 (MS RDP) RDP OPEN VPN RULES: IPv4 * * * * * * none OpenVPN OPEN VPN wizard WAN RULES: IPv4 UDP * * 10.10.10.11 1194 (OpenVPN) * none OPEN VPN Any idea? Do you need some specific info? Thank you very much!!

On the Zyxel side do I have to add routes?

Thank you so much, jimp! So I was looking for the solution in the wrong place. I'm sorry for the mistake.

Thanks I'm following this post and I also sent a doamnda, thank you very much :)

FA, that is a fin,ack - would be out of state - yes those would be blocked. https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html

@jcubio can you try adding this paramaters on the Advance Configuration > Custome options reneg-sec 36000 looks like the session is restarting.

@4xTroy My OpenVPN tunnel works fine without doing that. I only have "push "route 0.0.0.0 0.0.0.0";push "route-ipv6 ::/0"" in Additional configuration options.

The interface used by the firewall to originate this OpenVPN client connection so typically this would be WAN. In my case for some Sites it is not directly WAN but some Gateway Group containing different WANs. I've never thought about switching it to any internal Interface like LAN or OPT...why did you do that? Just leave it as default. -Rico

Your problem looks like the one "reneg-sec 0" solves. Is this option in the client's config too?

@Rico sadly doesn't seem to solve the issue. I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working. I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's. Anyway thank you for all the help.

workin with a splitt tunnel too ? not yet tested (tomorrow on the toDo list) mybe some time for coffee can be safed #staySafe

hey folks i'm the one who is not willing to pay for useless fancy stuff that keeps me off work when i need it cuz i have not patched my OS and a fancy tool is keepin / shuttin me off the vpn airports are not that lovely when u travel a lot !